Below is the violation detected for a certain URI. We are looking to disable only for this specific URI
Evasion technique detected [1] Detected Evasion Technique Bad unescape
Parameter Value "1.0"?<UserName>xxxxxxx</UserName><UserPassword>Hello123%</UserPassword><CurrentDateTime>2023-05-29</CurrentDateTime><UserType>U
ssword>Hello123%</UserPassword><
(Password contains the character '%')
1. Would the following iRule help? Can we also include character of the parameter value to the iRule to be more specific (ASM::violation details, parameter_data.value)
when ASM_REQUEST_DONE { if {[ASM::violation names] contains "Evasion technique detected" and [string tolower [HTTP::uri]] contains "URI"} { ASM::unblock log local0. "ASM unblocking [HTTP::uri]" } }
2. Would adding a return carriage or a space to the html code before the </UserPassword> work?
But what if another violation under ( Evasion Technique Detection ) other than Badunescape one.
I would recommend to adjust the system variable attribute "ecard_max_http_req_uri_len" to higher value but you need to do that in a maintenance window because you need to restard asm deamon service for the changes to take effect , to do that please refer to this article : https://my.f5.com/manage/s/article/K000092642 you will find within it another article with the steps.
